In addition, Exploit pack known as "Incognito" (there are rumors that Incognito development stopped after v.2 in 2011 and this is something else) and Eleonore added CVE-2011-3521(? likely, see comments below)as well.

I will add "Incognito" version when I can.

This is just a quick post to share samples (kindly offered by 0Day.jp Hendrik Adrian) and found in the wild, and links to analysis that was already done for these or similar samples.

(CVE)number

CVE-2012-0507.
malicious Java applet stored within a Java archive (.JAR) that attempts to exploit a vulnerability in the Java Runtime Environment (JRE) up to and including versions 7 update 2, versions 6 update 30 and versions 5 update 33. The vulnerability is described in CVE-2012-0507.

and as you see the only change they were doing is making it impossible to mutate the __ids array by cloning it. Therefore an exploit that exploits it would need to, at some point, obtain a String array from a CORBA class (by directly or indirectly calling _ids) and modifying thevalue in there. In addition, I doubt you can use this vulnerability to execute arbitrary Java code outside the sandbox and/or disable the security manager. You may be able to use it to mess with other CORBA internals (CORBA has some special privileges wrt. to socket connections, like listening on privileged ports or connecting to any host), but no RCE.

In addition, the classes in the AX package look like they try to mirror the in-memory structure of privileged classes (AccessibleObject and Method), therefore making it probable they try to exploit a type confusion as required for exploiting CVE-2011-3521 (like in my article linked below).

HOWEVER, the 2011-3521 was fixed 4 months earlier than 2012-0506, so if you or anyone else has tested it on a release released in the meantime, and it could exploit it, it would mean that my theory is wrong and it must have been one of the other exploits from the February advisory.

Saw and read all the references written here. Can't say much, too many "grey" zone. So below is just some comments:

1. The exploit code PoC / Shellcode / ASM code of the CVE-2012-0506 is badly needed. Still mitre is currently under review regardingly. Cobra was a vector used by this exploit, to break JRE privileges which is the bottom line of CVE-2012-0506 attack, some malware directly importing Cobra classes to feed it w/strings to overflow the stack, what should this to be called then? Why suddenly has to be merged with CVE-2011-3521? So what is the purpose Mitre releasing CVE-2012-0506? Just don't get it.

2. CVE-2011-3521(under review) & CVE-2012-0507 has the same JVM target. Yet has to be a slight differences. Since I examine PoC of CVE-2012-0507 clear enough, yet not finding solid CVE-2011-3521 PoC. No further comment.

3. The vulnerability talk. These 2(three)exploitation's fixs already released. Yet the vector is still in greyzone, was someone even confirming that the released patch REALLY fix the flaw? AFAIK, we got many "under review" CVE's and two are w/o PoC.

Just put the log dumps upon exploit reproduction using malware file y.jar in virus total here:https://www.virustotal.com/file/d34a18ce96afa97e4e1de5bfb00b953b547c7dad84acf35e1969518447eda152/analysis/Only this that I can grab. I will use this RAT for other tests so don't hope for me to save the logs.I hope other researchers also share their dumps.I really hate to admit that malware makers know better about the JRE flaws..

Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.